I have a requirement to add role based authorization for some secure pages. I want to set a property for pages called "Security Groups". This property will contain group names which shall have access to that page. I have configured SAML authn handler with Okta IDP . After login when SAML response is submitted to AEM ACS url , viz - /content/****/saml_login , I want to read the "Security Groups" from page property and groups of loggedin user from SAML response , and if there is a match between page property value and SAML response groups attribute , then allow user to view the page , if not then redirect user to error page.
User data is maintained in active directory and Okta provides those details, so I don't want to recreate those groups in AEM, just want to do the authorization on the go. I want to set the groups coming from Okta into user session , and on every page request , match Security groups property of page with groups in session.
I want to point out that the code presented here (and marked as correct answer) is not "security". It prevents you just from accessing that page directly (with a direct request), but it does not prevent other pages from including it.
For example, if you secured the pages below /content/brand/securepages with the approach described, they can be accessed by using the /content/brand.2.json; content in there can be referenced directly (using reference component), etc. If you really want proper authorization for this content, you need to use ACLs on the content level, as they are always enforced, no matter at what level you want to access that content.